I'm doing some reading into website security services like SiteLock, CloudFlare and Sucuri and must admit it has left me confused. What do these services do that go above & beyond the security measures I implement on my website?

I'm looking at their prices and they vary quite a bit: Sucuri asks for USD 89.99/year for 1 website, SiteLock's SecureSite goes for USD 79/month while CloudFlare Business goes for a whopping USD 200/month. While they do offer different packages the huge difference in pricing makes me wonder if they are offering widely different services. I know some offer a CDN (a bonus) and scanning is definitely useful in the event something nasty does sneak by.

I don't claim to be a website security expert but I'm competent enough to form at least a basic line of defense: .htaccess rules, limiting login attempts, additional security plugins for CMS etc... Is it worth spending the extra money for these services?

wwb_99
—
2014-06-27T13:08:26Z —
#2

I'm only familiar with CloudFlare here but they specialize in keeping your site running during DDOS attacks -- or legitimate traffic flare ups. They are more of a CDN with a security bent than a pure play security vendor.

If you are in fact in a position to get real internet-scale DDOS attacks they are worth every penny.

damoncloudflare
—
2014-06-30T17:57:44Z —
#3

A little curious as to why you're starting at the Business level for CloudFlare. We also offer a Pro version that's twenty dollars a month & includes the Web Application Firewall. The basic CDN is offered to all customers (free and above). We don't offer scanning and removal of malware via CloudFlare.com at this time, but we did recently acquire StopTheHacker as well (they offer malware scanning and removal).

pocketsized
—
2014-07-01T00:12:43Z —
#4

@damoncloudflare: Nice to hear from you guys The more complete story is that a client specifically requested for SiteLock. When I looked them up I immediately thought of CloudFlare and Sucuri. My curious nature wants to learn the difference between these services so I can better recommend them to future clients.

The reason I brought up the Business Level for CloudFlare is that it seems it would meet the needs of the client who asked for SiteLock. I was doing a comparison. I know the packages between companies aren't perfectly comparable but that's what led to my confusion in the first place: what exactly is the difference when two different companies say they do daily Malware scanning?

I am getting a better picture of things now. Thanks for your input!

sucuri
—
2014-07-01T03:35:56Z —
#5

These are all great questions, hopefully I can help shed some light on the differences here (although I admit there are some similarities). Like the Desktop AntiVirus space, there are various players right? Trend, AVG, AVAST, SYMANTEC... etc... each one does the task a little differently.

Your question was around Website Security so let's focus there.

SiteLock's latest plans bundle their Website Firewall with their Malware Detection. Two fundamentally different tasks. What they don't do is include remediation in the event your website is hacked already.

CloudFlare's plans focus on network / content optimization (speeding up your website). They're best known for being a great free CDN, but they too have a Website Firewall that comes at the $20 plan as they mentioned above. They recently acquired a Malware Detection firm and just recently released a Malware Detection scanner based on that technology. They're not actively doing remediation through their main property, but they have a secondary property that probably still is.

Sucuri, the folks I represent, will offer you Malware Detection and Remediation as well as a Website Firewall. The Detection / Remediation is $89.99 per domain a year with the Website Firewall starting at $9.99 / month.

So, not sure if that clarified things so let me focus on the things I mentioned above:

Malware Detection - this is the act of identifying when your website is being used for something other than what you intended.

Malware Cleanup - if something goes horribly wrong, the attackers figures out how to get past all your hardening and security, this is the process of getting you cleared up.

Malware Prevention - this is the process in which the Website Firewall comes into play. It's designed to stop attacks, keep malware off your website and keep the hacker s out.

This is perhaps the most interesting question in your piece:

I don't claim to be a website security expert but I'm competent enough to form at least a basic line of defense: .htaccess rules, limiting login attempts, additional security plugins for CMS etc... Is it worth spending the extra money for these services?

I'm obviously bias, but the answer is most often yes. .htaccess rules, limiting login attetmps and additional security plugins are in every website we, Sucuri, clean on a daily basis. It's not to say that they don't work, but they're very limited and are specific at the local based protection. The most effective website security today is being built and found at the edge, that's something all three organizations are offering.

The real difference in protection between the three comes in the way the applications are built. CloudFlare just rebuilt their WAF to be more effective, SiteLock leases their WAF and Sucuri built their WAF based on a fundamentally different model than both existing models.

Perhaps the biggest difference you should be asking, especially if what you're working with is CMS' is which company is best known for their CMS work. That would be Sucuri, by far. We know and understand CMS', things like WordPress, Joomla, osCommerce, Magento, etc... so much so that we spend a good amount of talking about it.

As for the basic question, is it worth it? I guess the real question comes down to each individual. How much time do you want to spend yourself hardening and monitoring each website and it's environment? If you feel you absolutely must, then there is your answer. But if you find yourself needing to focus on more important aspects of your business, then there too you have your answer..

Hope this helps.

damoncloudflare
—
2014-07-01T19:41:09Z —
#6

pocketsized said:

@damoncloudflare: Nice to hear from you guys The more complete story is that a client specifically requested for SiteLock. When I looked them up I immediately thought of CloudFlare and Sucuri. My curious nature wants to learn the difference between these services so I can better recommend them to future clients.

The reason I brought up the Business Level for CloudFlare is that it seems it would meet the needs of the client who asked for SiteLock. I was doing a comparison. I know the packages between companies aren't perfectly comparable but that's what led to my confusion in the first place: what exactly is the difference when two different companies say they do daily Malware scanning?

I am getting a better picture of things now. Thanks for your input!

Glad to help:) Feel free to ask me any additional questions.

pocketsized
—
2014-07-07T11:30:05Z —
#7

@sucuri: Woah, Sucuri is here too! I wonder if the peeps from SiteLock will drop by in 3... 2... 1...

Thanks so much for the detailed info! I've read it, and have been doing more reading since I originally made this post, and it's all helped paint a clearer picture of things. Will definitely keep all this in mind when quoting to my own clients.

KARTHOST
—
2014-07-09T15:45:44Z —
#8

@sucuri I have a question, if someone where to use all three together, Sucuri, Sitelock, & Cloudflare (basic) would there be any conflict if a site is hacked with malware and the site owner comes to Sucuri to fix?

In my research both CloudFlare and SiteLock require you to update your DNS records to point to their server. Since you can only point your DNS to one of the services, I'm assuming there is no way to integrate them. Perhaps if you contacted them they could do some magic in the back end.